Tuesday, April 24, 2018

Implication of Russian Sanctions

During March-April 2018, dozens of Russian diplomats were expelled; hundreds of Russian Troll Factory-related accounts banned; new travel and economic sanctions levied.

Currently, new sanctions are being discussed and it is probable that the next round of sanctions will be in relation to the Russian collaboration of Syria’s use of chemical weapon against their opposition. Radical measures are being discussed to include placing Russia on the designated Foreign Terrorist Organizations (FTOs) list.

There are no signs of Russia stepping back. Publically Trump is sending signals that he desires a good relationship with Russia, yet both countries are using deescalation mechanisms to avoid direct military conflict in Syria and other areas of the
World...READ MORE

Wapack Labs has cataloged and reported on Russian cyber threats and geopolitical events in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 
  
WWW.WAPACKLABS.COM

Monday, April 23, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: April 23, 2018 

On 23 April 2018, Wapack Labs identified 1,037 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   


Reporting Period: April 23, 2018
 
Wapack Labs identified connections from 1,994 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, April 17, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   


Reporting Period: April 16, 2018
 
Wapack Labs identified connections from 706 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:
Compromised Email Accounts
Reporting Period: April 16, 2018 

On 16 April 2018, Wapack Labs identified 53 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM



This TLP AMBER report is available only to Red Sky Alliance members.

Monday, April 16, 2018

New Pony Loader Obfuscation Technique via Smoke Loader

Cyber actors are leveraging the infamous Smoke Loader downloader to deliver several malware families to include: Zeus, Neutrino, Chthonic banking trojan and crypto mining software.  The RIG exploit kit (EK) developers are currently using this downloader to deliver the Monero coin miner.   Attackers are now delivering the Pony/Fareit malware via the PowerArchiver compressor (XXEncode 0.0), which significantly reduces the rate of detection by anti-virus vendors (less than six vendors) and the file format is detected as a text file.    Wapack Labs identified the secondary command and control (C2) infrastructure which continues to be developed by operators.

An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, April 13, 2018

China's Network Systems Department Update Summary

Continuing research on China’s military cyber force, restructured at the start of 2016 and now called the Strategic Support Force Network Systems Department, indicates that operational security around this unit remains tight.  Official references to this entity remain rare.  Chinese citizens themselves are in the dark, often speculating online about what elements of the former PLA Third and Fourth Departments have been incorporated into the new structure.

The research did show that a new cover designator for the Network Systems Department is in use: PLA 32069 Unit.  This designator has shown up in several references, including procurement data tied to the address for the Network Systems Department compound in Beijing.

Many questions remain about whether this entity has a cyber attack mission, in addition to a cyber collection.  What relationship it has to know cyber actors in the PLA’s Technical Reconnaissance Bureaus remains unclear.

Wapack Labs has cataloged and reported on numerous Chinese cyber threats in the past.  An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM 


Tuesday, April 10, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: April 9, 2018 

On 9 April 2018, Wapack Labs identified 62 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM


This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:
Reporting Period: April 9, 2018

Wapack Labs identified connections from 652 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Friday, April 6, 2018

Hacking Inside China

Western media frequently reports on Chinese cyber operations against other countries but rarely on hacking operations inside China itself.  Chinese media does describe problems with cybercrime inside their own country and how these problems are being confronted by Chinese law enforcement.  In general, Chinese official and other media describe internal cybercrime as operations by Chinese hackers against Chinese targets for financial gain.  This is reported as a serious problem that is growing significantly year-on-year.  Official reporting is incomplete and usually refers just to cases that have been uncovered and prosecuted.   Some 2017 reporting discussed up to 4,000 arrests in a year and nearly US $500 million tied to criminal cases.

The internal cybercrime that received the most reporting included:
  • Theft of personal data for sale to others
  • Theft of cash by compromising financial applications
  • Writing malware for sales to others who use them for financial gain
  • Writing game cheats used for financial gain or better gameplay
The Chinese government reporting on cybercrime and their efforts to quell it, could be interpreted as an indication that whatever intrusions are being conducted against targets in the United States, are being accomplished by or with the sanction of the Chinese government. READ MORE ...

Wapack Labs has cataloged and reported on numerous Chinese cyber threats in the past.  An archive of related reporting can be found in the Red Sky Alliance portal.


Tuesday, April 3, 2018

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: April 2, 2018 

On 2 April 2018, Wapack Labs identified 98 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM


This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:
Reporting Period: April 2, 2018

Wapack Labs identified connections from 656 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information:
603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Mar 26, 2018 

On 26 March 2018, Wapack Labs identified 21 unique email accounts compromised with keyloggers and used to log into mostly personal accounts and organizations. Attackers may be able to access not only email addresses but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Monday, April 2, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:   

Reporting Period: March 26, 2018
 
Wapack Labs identified connections from 692 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Friday, March 23, 2018

China Government Hacker Resurgent

In 2015, China and the United States pledged a bilateral Cyber Agreement that they would refrain from conducting cyber operations to steal intellectual property from one another. In 2016, a major drop in such intrusions was noted. By 2017, however, several new cases of cyber intrusion against defense contractors and other commercial entities were identified, which raises the question of whether the Chinese have in fact been constrained by the 2015 agreement. Wapack Labs reviewed the major cyber operations cases of 2017, that appeared to have Chinese origins, to assess the current trends in government-sponsored operations and answer the question: is China currently abiding by this agreement? Has being a signatory to the agreement constrained Chinese government behavior in any meaningful way?...READ MORE

Wapack Labs has cataloged and reported on Chinese state-sponsored cyber operations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.
  
WWW.WAPACKLABS.COM